Illustrate the evolution of HTTPS and various encryption and decryption processes

HTTP – > HTTPS

HHTP access
The HTTPS access

· Direct reasons, as shown in the figure above, the most obvious difference between using HTTP and HTTPS to visit the website is the use of HTTP to visit the website, the browser directly marked as “unsafe” website, usually when I surf the web, I will feel nervous when I encounter such a website, and no one will dare to pay at will.

· The main reason is that the browser is not forced to change the protocol because it is full of nothing to do. The main reason is that HTTP is plaintext transmission, which is equivalent to running naked in the network environment, which is quite dangerous. If you want to pay, your bank card password is hijacked by others, you will not be gg. Therefore, the behavior of the browser is responsible to the user, and the site that does not change is either broke, or lazy, or the site is not the customer love ~

Imagine, HTTP is so insecure, let you design a secure, everyone’s first reaction will be data encryption, so how to encrypt, to see the evolution of the process.

Symmetric encryption

In the spy drama, two radio stations communicate, sending irregular messages in cipher text. The two stations decipher information by using the cipher book, which is passed by the underground spy agents. This process corresponds to the network transmission of messages as shown below:

WechatIMG74

In the encryption method of single-key cryptosystem, the same key can be used to encrypt and decrypt information at the same time. This encryption method is called symmetric encryption, also called single-key encryption. Here I only talk about the idea model, the specific encryption and decryption algorithm process does not explain. For web applications, you can look at the picture, which is ideal, you’re good, you’re good, you’re good, you’re good, but there are two problems:

The first step, the password of the transfer process, if the agent a traitor, traitor to get the password this copy one for his organization, then don’t look to pass the password of this movement, then the radio between the cryptograph transfer in the enemy’s eyes as clear distinction of it doesn’t matter, corresponding to the network of secret key by hackers capture process.

· password management problems, radio will be responsible for so much information every day, in order to secure and can’t be all local radio message from the crack with a password, so once the password this entire leak ones, so the corresponding to the network application, is the need to separate for each user on the server and generate a secret key management, so many customers in the Internet, The cost of managing the secret keys would be so high that the Web services scenario would not work.

Common symmetric encryption algorithms include DES, 3DES, Blowfish, IDEA, RC4, RC5, RC6, and AES.

Asymmetric encryption

Play to play to play, don’t take safety joke, say one thing, “wild Wolf Disco” is a good song

Asymmetric encryption mainly solves security problems. The client and server generate a pair of secret keys respectively. The private key is kept by the client and the public key is exposed to the other party, and then the encryption is transmitted with the public key given by the other party. Each custody of a private key, do not need to transmit, there will not be password leakage.

The public key and private key are a pair. If the public key is used to encrypt data, only the corresponding private key can be used to decrypt data. Because encryption and decryption use two different keys, the algorithm is called asymmetric encryption.

In this way, the server only needs to save its own secret key, the problem of managing the secret key is solved, and the purpose of encrypting data is also achieved, but there are still problems:

· The biggest problem appears in the first step of public key transfer. How can I trust your public key? You know, this place is still streaking. If there is a “middle dog” that deliberately sabotages you, unable to crack you but trying to cripple you, tampering with the public key that both parties sent to each other, masquerading as a random public key, then both parties can encrypt each other’s data with the fake public key and never decrypt it.

· The second is that encryption and decryption take a long time, slow speed, only suitable for a small amount of data encryption.

HTTPS whole process = Symmetric encryption + asymmetric encryption + digital certificate

In the real world, trust problems are usually solved by “Authority” or endorsement of Authority figures. HTTPS is such a case. The operating system starts with the built-in digital Certificate of each major Certificate Authority (CA) as the system root Certificate. MacOS can be viewed by [Keychain -> System Root Certificate], as shown in the figure:

· In the certificate sent by the server (Click on the left side of the address bar in Chrome, you can see the details of the certificate), the digital certificate mainly contains the following contents:

  1. Certificate issuing authority (CA
  2. Validity of certificate
  3. The owner of the certificate, the domain name of the certificate, the company name, and so on
  4. The public key
  5. Certificate signing

· Client verification certificate credibility can be simply divided into the following steps:

  1. The CA specified for the verification certificate is in the root certificate of the operating system
  2. Verify the certificate is within the validity period
  3. Verifying the signature of the certificate, this step proves that the certificate was indeed issued by the CA authority.

· Verifying the certificate signature is the key. The certificate signature is a string symmetrically encrypted by the CA private key on a hash value when the website applies for a certificate. It can be expressed as:

Sign = encrypt(Hash (" Certificate authority "+" certificate validity period "+" certificate owner "+" public key "))

· Steps for verifying signatures:

  1. The client obtains the public key of the CA from the system root certificate and decrypts the signature to obtain the hash value.
  2. The client uses the same method to combine certificate information and the same algorithm to obtain the hash value.
  3. Compares whether the decrypted hash value is the same as the hash value concatenated by the client.

The client takes a look at the information provided by the certificate, decrypts it through the CA public key, proves that the information provided by the certificate has been confirmed by the CA private key (the signature of the certificate), and then trusts the information provided by the certificate.

Just like a real life bill, trust the information in the bill because there is a unique agency seal (although it can be forged, asymmetric secret seals cannot be forged)

· The flow chart of HTTPS is as follows:

Problems solved:

  1. Asymmetric encryption is only used to transmit the cipher book. Symmetric encryption is used for actual data transmission, which solves the problem of slow decryption speed of asymmetric encryption

  2. CA digital certificate authenticates public key to solve the trust problem of public key transmission

Step by step, all problems solved, is not special nice!!

It should be pointed out that ALTHOUGH HTTPS can protect the security of data during transmission, HTTPS is not a panacea and cannot solve all security problems. HTTPS cannot solve XSS attacks, CSRF spoofs, XST tracing by cross-site scripts, SQL injection attacks, and virus attacks. To solve these security problems, measures should be taken at the communication terminal to ensure user data security.